Is there a good, detailed protocol doc/security analysis for the Proton e2e/docs stuff they've come out with? I'd like to believe, but they really don't give you much to go on.
Conversation
Notices
-
Embed this notice
Eleanor Saitta (dymaxion@infosec.exchange)'s status on Tuesday, 03-Dec-2024 08:49:21 JST 
Eleanor Saitta
-
Embed this notice
Eleanor Saitta (dymaxion@infosec.exchange)'s status on Tuesday, 03-Dec-2024 09:05:08 JST
Eleanor Saitta
(back in the day, we spent a while digging into ways you could chip away at that problem when I was working on SecureDrop architecture bits, but afaik no one ever took a serious swing at it)
-
Embed this notice
Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Tuesday, 03-Dec-2024 09:05:08 JST 
Michał "rysiek" Woźniak · 🇺🇦
@dymaxion I suppose SRI was not a thing back then? feels like something that would end up being a part of any solution to this problem. :blobcatthink:
-
Embed this notice
Eleanor Saitta (dymaxion@infosec.exchange)'s status on Tuesday, 03-Dec-2024 09:05:09 JST
Eleanor Saitta
Similarly, what's out there for cryptpad? They obviously both share the "you trust the server to not send you backdoored JS problem" that all these tools have, but beyond that?
-
Embed this notice
Eleanor Saitta (dymaxion@infosec.exchange)'s status on Tuesday, 03-Dec-2024 09:15:00 JST
Eleanor Saitta
@rysiek
It was just starting to be. The approach we were poking at would have been a browser plugin that let you do cert pinning for SRI, possibly with some kind of certificate transparency style system for the SRI hashes that have been seen. There are a lot of devils and details, but I think it could have both worked and likely turned into a standard, eliminating the need for the plugin and letting it lift the whole ecosystem. -
Embed this notice
Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Tuesday, 03-Dec-2024 09:15:00 JST
Michał "rysiek" Woźniak · 🇺🇦
@dymaxion right, that makes sense
-
Embed this notice
All GNU social JP content and data are available under the